Providing all the extra info that didn't make it into the BlackHat 2012 USA Presentation "Still Passing the Hash 15 Years Later? Using the Keys to the Kingdom to Access All Your Data" by Alva Lease 'Skip' Duckwall IV and Christopher Campbell.

Sunday, December 16, 2012

And we're back...

Sorry folks for the delay in getting the blog updated. I'd meant to get back to the blog sooner, but I was on the road for a month, then I was trying to finish stuff up at work, then $excuse[0] and then $excuse[1] and then $excuse[$i++] ...

So, what shook me out of my stupor?

This article and the associated PDF from Microsoft talking about Pass-the-Hash.

Chris (@obscuresec), my speaking partner at BHUSA 2012 and Derbycon 2.0, had a similar response...

Then Richard Bejtlich (@taosecurity) asked for comments on Twitter about the paper... that sorta opened up the floodgate for both me and Chris. Long story short, I was asked to put some of my thoughts on the subject down, so here we go...

I've spent a couple days now re-reading the whitepaper. I've read for detail and am trying to make sure I'm completely understanding what they are saying and where they're going. I'm also trying (sometimes harder than others) to deliver a calm, rational response to the items in the whitepaper.

We'll see how that goes...

So, I'm going to have several blog entries about the whitepaper. I'm not quite sure how it's all going to be split up at this point, but I am going to start with a few overall observations and then we will see.

I'm going to start with a quick aside, as I want to make sure we are all on the same sheet of music when it comes to terminology. Please bear with me.

So, I would expect a "PTH Mitigation" to lessen the impact of PTH attacks. Makes sense, eh?Ok, what's PTH (Pass-the-Hash)?

Short version: Microsoft treats the password hash as being equivalent to a password with NTLM. This means that you don't need the plaintext password to log into a service. With a modified client, you can simply substitute the hashed password and it will still work.

Longer version: For our BHUSA 2012 talk, Chris and I wrote a whitepaper. You can read it here.

What PTH attacks are talked about in the MS whitepaper?

Microsoft in their whitepaper lists 2 specific examples of PTH attack:
.
1) Using password hashes to move laterally from computer to computer. In this case the computers are of the same "value". This means that an attacker is moving from workstation to workstation instead of workstation to server.

2) Using password hashes to "privilege escalate", or to move from a lower valued computer to a higher valued computer. For example, moving from a workstation to a web server.

All of Microsoft's "mitigations" are meant to defend one or both of these "attacks"

Quick Observations

It's obvious (aside from 2 pages of writing credits) that this paper was written by many different hands. This becomes even more obvious when parts of the whitepaper contradict itself. I don't envy the job of the person who was supposed to cull everything together into some sort of semi-coherent beast.

The paper tries to do too much. It tries to be all things to all people. I realize that MS has been under pressure to deliver some sort of response to the 15 year old PTH problem, but releasing a long, confusing whitepaper really doesn't solve anything and could possibly compound the issue by being easy to misread or misunderstand. God help us when people implement the "mitigations" and are still attacked with PTH. Microsoft better be ready for the pitchforks and torches...

This is a complex subject. Windows authentication is a quagmire of backwards compatibility built on hacked solutions to hard problems (like SSO, single sign on). You can't have a frank and complete conversation about Windows auth without talking about ALL of Windows auth, and the paper doesn't cover everything.

Pro Tip: You probably shouldn't have a "recommendation" for a mitigation that says "don't do this mitigation, instead do something else" (Read mitigation 2, p14.)

There are a lot of useful nuggets in the whitepaper. However, they're either buried or poorly worded

Many of the mitigations seem redundant and could be summarized as "Don't be stupid"

The tone of the whitepaper is a weird combination of spin control, defeatism, and over-generalizations.

And Finally....

If somebody is already in your network and has your hashes none of the mitigations in the whitepaper will have any positive effect. None of the mitigations will give the attacker any pause, make life difficult, pester or bother them in any way.

I'm sorry, don't shoot the non-Microsoft messenger...

The only glimmer of hope is that some of these mitigations might make it more difficult for an attacker to obtain administrative hashes if they don't already have them. However, it's usually just a matter of time.

So, moving forward I plan on several blog entries. I think the first one is going to be an in-depth refresher on PTH. I'm also going to have to do a post on Windows authentication mechanisms and talk about the stuff the whitepaper glossed over... I'm also going to do a post on hash collection methods... and also on the "mitigation" techniques and what MS was shooting for and what the actual effects would be if implemented...